Network Monitor is a software protocol analyzer.
Protocol analyzers eavesdrop on data communications. With Ethernet, every
message sent includes a destination address. LANs share the media with
all workstations and although every NIC detects each message, normally only the
NIC that matches the address will read the message. Protocol analyzers take
advantage of the shared environment by putting the NIC in promiscuous mode so
that every message can be read.

Windows Server includes the Lite version of Network Monitor. It captures only traffic to and from the local
server. Microsoft's SMS package includes the full version of Network Monitor that
uses promiscuous mode thereby capturing all LAN traffic. The binary network frames are then
decoded and displayed, identifying the sender and receiver and labeling all of
the protocol layers and fields.

çClient LAN packets è

ç
Server LAN packets è

packet

packet

packet

packet

Network Monitor capturing LAN
packets

An important field in TCP and UDP is the port
number. The port number identifies the destination service on the server. For
example, web requests using HTTP will have the port number set to 80. Other well
known port numbers are identified in a table below

UDP port number

Description

53

DNS name queries

69

Trivial File Transfer Protocol (TFTP)

137

NetBIOS name service

138

NetBIOS datagram service

161

Simple Network Management Protocol (SNMP)

520

Routing Information Protocol (RIP)

TCP port number

Description

20

FTP server (data channel)

21

FTP server (control channel)

23

Telnet server

53

Domain Name System zone transfers

80

Web server (HTTP)

139

NetBIOS session service

Visit
www.ethereal.com to get a protocol analyzer similar to Network Monitor. It
will run on Windows Professional which does not include Network Monitor.

Understanding everything about network
protocols requires long-term study. Network Monitor is an excellent tool to use
in this study. Without much understanding of protocols, you can still use
Network Monitor to study network problems by capturing LAN packets and noting
source and destination addresses for

MAC Media Access Control addresses such as
Ethernet addresses

IP addresses

Port numbers addressing network services

Network Monitor displays real-time statistics
while capturing data as shown below. The windows is divided into panes as
follows.

Take special note of broadcast traffic because
broadcasts cause interrupts on all machines in the subnet. Broadcasts from
remote computers will cause interrupts on every local computer thereby affecting
performance on every local computer.

Once captured, each frame can be viewed and
investigated in the capture window. Initially, the summary pane
displays a summary of each frame in each line. If you double-click one of
the frames, the window then divides into three panes as follows.

Position

Pane

Description

Top

Summary

One line for each frame

Middle

Detail

One frame decoded

Botton

Hexadecimal

Raw data

Keyboard
Exercise

Start Network Monitor, start the capture and
then wait until some network traffic is collected. Select the Stop and View
option and then investigate some of the captured packets.